The peers carol and moon both have dynamic IP addresses, so that the remote end is defined symbolically by right=<hostname>. The ipsec starter resolves the fully-qualified hostname into the current IP address via a DNS lookup (simulated by an /etc/hosts entry). Since the peer IP addresses are expected to change over time, the option rightallowany=yes will allow an IKE main mode rekeying to arrive from an arbitrary IP address under the condition that the peer identity remains unchanged. When this happens the old tunnel is replaced by an IPsec connection to the new origin.
In this scenario carol first initiates a tunnel to moon. After some time carol suddenly changes her IP address and restarts the connection to moon without deleting the old tunnel first (simulated by iptables blocking IKE packets to and from carol and starting the connection from host dave using carol's identity).